Astra, Inc. (“Astra” “we” “us” “our”) is committed to protecting and respecting your privacy. We understand that keeping your financial and personal information secure and confidential is critical to earning and keeping your trust. It is important that you know that your trust is paramount to us.
Information We Collect
To offer the Site, we use information you provide to us, information that we collect automatically when you use or access the Site, or that we collect from you and your financial accounts as you use our Site.
Information you provide to us
To access our services through the Site, you are required to sign up for an account. When you sign up for an account, we may ask you to provide us with Personal Information about you, like your name, e-mail address, mobile phone number, or an avatar for your account.
During the account setup, you will be asked to provide certain information about you from third-party financial institutions or third-party payments providers with which you have a legally binding customer relationship (each, a “Third-Party Financial Institution”). To enable us to access your financial data with Third-Party Financial Institutions, you will need to provide (as applicable): the name of the Third-Party Financial Institution, the username or email associated with that institution, the password for your financial account, and other similar information.
We collect this information to establish a connection with your financial accounts and gain access to information and data we need to provide you with the services you request, including your bank account and routing number with that institution. We do not store your bank account and routing number in our systems.
Information we collect from your use of our Site or App
In addition to the information you provided when creating your account, we may collect information from you during your use of the Site. For instance, we may collect information from you about the device you use to access the Site, what operating system or internet browsing software you use for that access, and your IP address. We also may collect information about how you use our Site, including what links you may click on or whether you have visited our Site in the past and when.
When you authorize us to access information from your financial accounts with Third-Party Financial Institutions, we may also collect information about those accounts, including the balance of those accounts, what type of institution is holding the account, and what type of account is involved (i.e., checking or savings and credit or depository). We also collect information about the transactions that have taken place with that financial account, including, but not limited to, the amount of the transaction, where the transaction took place, and the time of the transaction.
Cookies and Google Analytics
- better understanding how you use our Site;
- detecting and defending against fraud and other security risks; and
- better presenting advertisements, products, and/or services of interest to you.
To learn more about how Google Analytics collects and processes data, please visit “How Google uses data when you use our partners’ sites or apps”, located at www.google.com/policies/privacy/partners/.
How We Use the Information We Collect
We use the information we collect for a variety of purposes, including:
- Providing the Site and all related services to you;
- Improving the Site and all related services, as well as to research and develop new services, determine customer demand for new or improved services, and specifically tailoring or customizing our services for you and other customers; however, we will not use your Personal Information for these purposes;
- Communicating with you regarding your account, changes to the Site or services we provide, and promotional material about new services or products we may be offering; however, we will not use your Personal Information for these purposes;
- Responding to requests or inquiries from you;
- Providing customer support or technical assistance;
- Creating or administering your account, including identifying you with your account;
- Billing you, as applicable;
- Maintaining the Site, including by ensuring compatibility with software and hardware you or our customers typically use;
- Securing the Site and our systems and networks, and protecting your information and data; and
In addition to the above, we may use Personal Information about your transactions (including their amount, where they take place, and when they occurred) (“Transaction Information”) to provide you with summaries, reports, or trends regarding your spending, including information on the categories or frequency of purchases. We may use your Transaction Information to help show you trends in your spending, to predict future spending, or to highlight opportunities for savings. We may use Transaction Information to highlight unusual spending trends – like spending associated with a business trip/vacation or major purchases – to improve your record keeping and budgeting. We may use your Transaction Information to show you the way such transactions may have affected your financial goals.
Information We Share with Others
We do not disclose your personal or financial information to companies, organizations, or individuals outside of Astra, subject to the following exceptions.
Information Disclosed to Vendors in Order to Provide our Services
We may share your Personal Information to the extent necessary to provide the Site and services. This includes, but is not limited to, updating, securing, and troubleshooting, as well as providing support. Some examples of entities to whom we disclose information are as follows:
- Name of the financial institution where your account is held;
- Your username;
- Your email address; and
- Password for that financial account.
Plaid receives this information and establishes a connection to those financial accounts. Once the connection is established, we delete the financial account information from our system.
Google Analytics – As indicated above, we also provide information regarding your use of our Site, or clicks on links to other sites on our Site, to Google Analytics.
Persona – In certain circumstances, we may share your Personal Information with vendors who help us verify your identity by performing biometric analysis to help us verify your identity and detect and prevent fraud. We use Persona to perform identity verification through facial geometry analysis.
Additionally, we may provide access to your information to other third-party vendors who may be assisting us with the operation, maintenance, or security of our Site.
Information Disclosed to our Service Providers
We also share Personal Information with our Essential Service Providers as necessary to provide the Site and the services to you. For example, we use Google Cloud Platform (GCP) as a cloud server provider, and as such we necessarily share Personal Information with GCP. Information shared with such essential service providers is strictly limited to the purposes of providing the Site and the services to you. These Service Providers are based out of the United States and process and store any Personal Information from the United States. For individuals located outside of the United States, this means that applicable data protection legislation may be different from your country, and they will have access to your Personal Information as necessary to perform their functions, but they may not share that Personal Information with any other third party or use that data for any other purpose.
Information Disclosed in Connection with Business Transactions
We may disclose Personal Information to a third party in the event of reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any of our business, assets, or stock, including in connection with bankruptcy or similar proceedings.
Information Disclosed for Our Protection and the Protection of Others
We may disclose your Personal Information if legally required to do so, pursuant to a request from a governmental entity, or if we believe in good faith – after considering your privacy interests and other factors – that such action is necessary to:
- Comply with legal process or requirements, including notification obligations;
- Respond to requests from public and government authorities or regulators (including those outside your country of residence);
- Enforce our contractual rights and comply with our contractual agreements;
- Protect the rights, privacy, safety, or property of you, Astra, and others; and
- Stop any activity that we consider illegal, unethical, or legally actionable.
Information Disclosed to Others in Accordance with Your Preferences
We may disclose Personal Information to third parties only if you consent to such disclosure by affirmative opt-in.
Information You Share with Others
Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check these policies before you submit any personal data to these websites.
We attempt to provide you with accurate information about your financial accounts. To do so, we need accurate information from you about yourself and those accounts. If you find that information we have about you is outdated, missing, or incorrect, we would ask that you notify us at [email protected] of these errors so that they can be addressed. We may ask you to verify your identity before we act on any request to change your information. We may also reject requests that are unreasonably repetitive, require extraordinary or disproportionate technical effort or cost, risk the privacy or security of others, or would be extremely impractical.
How to Request the Deletion of Personal Information We Collect
You may request your account be deleted by our support department by emailing privacy @astra.finance from the email address associated with your account, indicating “CANCEL” in the subject line of the message. After confirming you are the account owner we will remove Personal Information from our records and will only continue to retain such information as required by law.
Information for California Residents
In this privacy notice, “Personal Information” has the same meaning as under the California Consumer Privacy Act, as amended by the California Privacy Rights Act and accompanying regulations (collectively, the “CCPA”), California Civil Code Section 1798.100 et seq.: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include information that has been de-identified or aggregated.
Personal Information We Collect and Disclose, and for What Purposes
In the past 12 months, we have collected the Personal Information discussed above in the section titled Information We Collect and have used it for the purposes described in the section titled How We Use the Information We Collect.
We have also disclosed the following Personal Information for a business purpose in the past 12 months to the following categories of entities:
|Category of Personal Information Disclosed
|Category of Entity to Whom Personal Information was Disclosed for a Business Purpose
|Business Purpose for Such Disclosures
|Personal Identifiers (e.g., name, username, ID, mailing address, Social Security Number, email address, date of birth, etc.)
|Service providers; Vendors
|To provide the Site and services to you; to verify your identity.
|Financial Information (e.g. bank account number, routing number, etc.)
|Service Providers; Vendors; Financial Institutions
|To process your transactions
|Service Usage, Cookies, Device, and Location Information (e.g., log-ins, device information, IP addresses, proxy server, operating system, web browser and add-ons, device identifier and features, ISP or your mobile carrier, etc.)
|Service providers; Vendors
|To provide website functionality and maximize your experience
|Service Providers; Vendors
|To help us verify your identity and to help us detect and prevent fraud
Please note that some of the Personal Information we have collected and/or disclosed in the past 12 months qualifies as Sensitive Personal Information under the CCPA (i.e., Biometric information for the purpose of uniquely identifying an individual). We do not use or disclose Sensitive Personal Information for purposes other than that which is necessary and proportionate to accomplish the objectives set forth in Cal. Code Regs. tit. 11 §7027(m). Specifically, in the past 12 months, we have collected and/or disclosed the following categories of Sensitive Personal Information:
- Social Security Numbers, drivers’ licenses, state identification card information;
- Financial account information;
- Precise geolocation information;
- Biometric information for the purpose of uniquely identifying an individual.
While we do not sell Personal Information in the way the term “sell” is commonly used, we do disclose limited cookie data with our business partners in order to provide and maintain our Site. Such a disclosure may constitute a “sale” for purposes of the CCPA. We have made such disclosures in the past 12 months.
In the past 12 months, we have not “shared” Personal Information as the term is defined by the CCPA.
You have the right to request certain information about our collection and use of your Personal Information over the past 12 months. In response, we will provide you with the following information:
- The categories of Personal Information that we have collected about you;
- The categories of sources from which that Personal Information was collected;
- The business or commercial purpose for collecting or selling your Personal Information;
- The categories of third parties with whom we have shared your Personal Information; and
- The specific pieces of Personal Information that we have collected about you.
You have the right to request that we delete the Personal Information that we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your Personal Information to provide you with the Site or certain services or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request.
You have the right to request that we correct inaccurate Personal Information that we have collected about you.
Right to Opt Out of Sale or Sharing
You have the right to opt out of the sale or sharing of your Personal Information. You may do so by contacting us via one of the methods provided above or click our “do not sell or share my Personal Information” link on our Site. To our knowledge, we do not sell or share the Personal Information of minors under 16 years of age.
Right to Limit the Use of Sensitive Personal Information
As we do not use your Sensitive Personal Information for purposes other than those set forth in Cal. Code Regs. tit. 11 §7027(m), we do not provide you with a way to limit the use of your Sensitive Personal Information.
Exercising Your Rights
To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Information, and (2) describes request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Information provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within 45 days of receipt. In certain circumstances, we may require an additional 45 days to complete your request. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
You may submit a Valid Request by emailing us at [email protected] or contacting us at (650) 485-3965.
You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.
We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA
We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our services as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates, or levels of quality of the goods or services you receive to the extent that that difference is related to the value of Personal Information that we receive from you.
California Do Not Track Disclosures
Do Not Track. Astra does not track its users over time and across third-party websites and therefore we do not respond to Do Not Track signals. However, Astra does recognize Global Privacy Control signals where legally required. A Global Privacy Control (“GPC”) is a browser setting that a user can set in order to send a signal to each website visited regarding the user’s privacy preferences, such as not to share or sell user’s Personal Information. If your browser or browser extension has GPC enabled, our website will automatically recognize that signal and opt you out of the sale of your Personal Information. For more information about GPC and how to implement GPC opt-out preference signals, please visit Global Privacy Control.
Other California Resident Rights
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Information to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at [email protected]. Astra does not disclose Personal Information to third parties for such third parties’ direct marketing purposes.
Nevada Resident Rights
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at [email protected], however Astra does not sell Personal Information.
We are committed to protecting Astra and our users from unauthorized access to, or unauthorized alteration, disclosure, or destruction of, information we may possess. To provide for the security of information in our possession, we implement reasonable technical, physical, and administrative safeguards. These safeguards may include, but are not limited to:
- Encrypting Personal Information in our possession;
- Offering or requiring multi-step authentication when you access your account;
- Reviewing our Personal Information collection, storage, and processing practices, including physical security measures, to guard against unauthorized access; and
- Restricting access to personal or financial information to Astra employees, contractors, partners, or agents who need to know that information in order to process it for us and are subject to confidentiality obligations.
However, please not that no method of transmitting information over the internet is 100% secure and we therefore cannot guarantee the absolute safety of the Personal Information we maintain.
Updates and Changes
Questions About Our Privacy Practices
Additional Privacy Notice to Colorado, Virginia, Utah, Iowa, Indiana, Tennessee and Connecticut Residents
This Privacy Notice (“Notice”) applies to individuals who reside in the states of Colorado, Virginia, Utah, Iowa, Indiana, Tennessee, and Connecticut. This Notice describes your rights pursuant to the Colorado Privacy Act, Virginia Consumer Data Protection Act, the Indiana Consumer Data Protection Act, the Iowa Consumer Data Protection Act, the Tennessee Information Protection Act, the Utah Consumer Privacy Act, and the Connecticut Data Privacy Act (the “Applicable Laws”). Capitalized terms used but not defined in this Notice have the meaning assigned to them by the Applicable Laws.
This section provides additional details regarding the Personal Information that we collect or process about residents of the aforementioned states. For the purpose of this section, “Personal Information” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
In the last 12 months, we have not sold your Personal Information, used such information for Targeted Advertising, or used Personal Information to profile in furtherance of decisions that produce legal or similarly significant effects concerning you as such terms are defined by the Applicable Laws.
Collection of Sensitive Personal Information
Please note that some of the information we collect may constitute sensitive information for purposes of the Applicable Laws. To the extent required by the Applicable Laws, we will not process such sensitive information without your prior consent.
Disclosure of Personal Information to Third Parties
To learn how we disclose your information to third parties, please visit the section titled “Information we Share with Others” above. All categories of Personal Information discussed may be disclosed to third parties (e.g., service providers, our affiliates, etc.).
Under the Applicable Laws, users who are residents of these states have specific rights regarding their Personal Information subject to certain exceptions. When required, we will respond to most requests within 45 days unless it is reasonably necessary to extend the response time. Subject to certain limitations, you have the following rights:
Colorado, Indiana, Connecticut, Tennessee, Virginia, Iowa, and Utah:
- Right of access: You have the right to confirm whether we process your
- Personal Information and request access to such Personal Information.
- Right to Deletion: You have the right to request that we delete the Personal Information we have collected about you.
- Right to Data Portability: You have the right to request that we provide you with your Personal Information in a portable format.
- The Right to Opt Out: You have the right to opt out of:
- Connecticut, Colorado, Virginia, Indiana, Tennessee Utah:
- Targeted advertising;
- The sale of your Personal Information; and
- Profiling in furtherance of decisions that produce legal or similarly significant effects.
- The sale of your Personal Information as such term is defined by the Iowa Consumer Data Protection Act.
- Connecticut, Colorado, Virginia, Indiana, Tennessee Utah:
Colorado, Indiana, Connecticut, Tennessee, and Virginia only:
- Right to Correction: You have the right to correct inaccuracies in your Personal Information.
At this time, we do not sell your Personal Information, use your Personal Information for Targeted Advertising, or process your Personal Information for purposes of profiling in furtherance of decisions that produce legally or similarly significant effects concerning a consumer, and therefore, opt-out rights are not available.
How to Exercise Your Rights
To exercise the rights described above, please submit a verifiable consumer request to us by either:
- Calling us at: (650) 485-3965
- Email us at: [email protected]
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to a total of 90 days), we will inform you of the reason and extension period in writing (which may include email). If you would like to appeal our actions in response to your verifiable consumer request, please email [email protected] from the email associated with the Astra profile and include “Appeal request” in the subject line. However, please note that you do not need to create an account to exercise this right. We may simply require additional information if you contact us from an account that is not associated with your profile.
As we do not sell your Personal Information, use such information for Targeted Advertising, or use your Personal Information to profile you in furtherance of decisions that produce legal or similarly significant effects concerning you, we do not provide you with a method to opt out.
In order to protect your privacy and the security of your information, we verify consumer requests by requesting identification documents and other documentation necessary to confirm your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.
If you have any questions or comments about this Notice, the ways in which we collect and use your information described here, your choices and rights regarding such use, or if you wish to exercise your data privacy rights under the Applicable Laws, please do not hesitate to contact us at:
By Email: [email protected]
By Phone: (650) 485-3965
Authorized Agents in Colorado and Connecticut
If you want to make a request as an authorized agent on behalf of a Colorado or Connecticut resident, you may use the submission methods noted above. As part of our verification process, we may request that you provide, as applicable, proof concerning your status as an authorized agent. In addition, we may require the individual on whose behalf you are making the request to verify their own identity or your permission to submit the request.